[Samba] Groups and LDAP

[Patrick]

Rob,

Maybe I can shed some light on this for you.  I have just setup a Samba 
PDC + LDAP machine here.  For the group assignments to work you will 
still need to have a unix group on the machine.  So you use the normal 
method to add a unix group in the ldap directory.  You can then add any 
users you want to that group.  So for example I setup the following unix 
group in ldap:

# ntadmins, Groups, firerun, net
dn: cn=ntadmins,ou=Groups,dc=firerun,dc=net
cn: ntadmins
objectClass: top
objectClass: posixGroup
gidNumber: 1000
memberUid: root
memberUid: patrick

Then you will need to use the net tool to do a group mapping.  first you 
will need to lookup the SID of the domain.  So you will use "net 
getlocalsid SID" once you have the Domain SID you will use the following 
command to map the unix group to a domain group:

net groupmap add sid=<domain sid>-512 ntgroup="Domain Admins" 
unixgroup=ntadmins type=domain

That command will add the samba group mapping attributes and the 
ntadmins group will now be the Domain Admins group on Windows clients. 
Any users that are added to the ntadmins unix group will be members of 
the Domain Admins group.  To confirm the mapping just use "net groupmap 
list."

Patrick

Robert Rati wrote:

> I'm a little weak on how the groups assignments work with Samba and 
> LDAP.  The Samba HOWTO collection says to map each Domain Group to a 
> UNIX system group, but if all authentication is done via LDAP (Unix 
> and Windows) then do the groups still have to exist on the Samba Unix 
> machine?  Where do the RIDs fit into all this?  I don't see a schema 
> in LDAP for sambaGroup.  Do I create the domain groups with the 
> posixGroup schema and set their gid to a RID that will exist on the 
> Windows machine (like 512 for Domain Admins)?  Or do I just bypass the 
> group mapping altogether and set a Domain Admins sambaPrimaryGroupSID 
> to <SID>-512? Any help on this would be very helpful, as I think I'm 
> confusing myself.
>
> Rob
>